Back to Intelligence

CVE-2026-20182: Cisco Catalyst SD-WAN Auth Bypass & HUSTOJ RCE Detection Guide

SA
Security Arsenal Team
May 23, 2026
6 min read

This week's Metasploit update brings urgent attention to two critical vulnerabilities that demand immediate defensive action. Rapid7 researchers have released modules for a significant authentication bypass in the Cisco Catalyst SD-WAN Controller (CVE-2026-20182) and a critical code execution flaw in the HUSTOJ online judge platform (CVE-2026-24479).

The Cisco vulnerability is particularly alarming for enterprise defenders; it allows unauthenticated attackers to interact with the management interface of a core network infrastructure component. Coupled with the HUSTOJ zip-slip vulnerability, which facilitates remote code execution, we are seeing a clear trend where web-facing management interfaces and assessment platforms remain prime targets for initial access. Security teams must immediately scan for these vulnerable implementations and assume active scanning attempts are imminent given the availability of exploit code.

Technical Analysis

Cisco Catalyst SD-WAN Controller (CVE-2026-20182)

  • Affected Product: Cisco Catalyst SD-WAN Controller (formerly vManage).
  • Vulnerability Type: Authentication Bypass.
  • Metasploit Module: admin/networking/cisco_sdwan_vhub_auth_bypass.
  • Technical Detail: The vulnerability exists due to a missing authentication check on a specific network component within the controller's API. Specifically, the module targets an oversight where the device was "missing an extra A for authentication." This allows attackers to send requests to administrative endpoints without valid session tokens. Successful exploitation could allow an attacker to modify network topology, intercept traffic, or pivot deeper into the SD-WAN fabric.
  • Exploitation Status: Proof-of-concept code is now available in Metasploit, significantly lowering the barrier to entry for commodity attackers.

HUSTOJ Online Judge (CVE-2026-24479)

  • Affected Product: HUSTOJ (a popular open-source online judge system for programming competitions).
  • Vulnerability Type: Zip-Slip leading to Remote Code Execution (RCE).
  • Technical Detail: The platform fails to properly sanitize archive paths (Zip-Slip) when handling submitted zip files. By crafting a malicious zip file containing path traversal sequences (e.g., ../../), an attacker can write arbitrary files to the server's filesystem. This leads to critical code execution, typically by overwriting web-accessible files or cron jobs.
  • Exploitation Status: Weaponized in Metasploit; active exploitation in educational and development environments is highly likely.

Detection & Response

Given the release of Metasploit modules, SOC teams must prioritize hunting for signs of exploitation. The following rules and queries are designed to detect the specific behaviors associated with these CVEs.

Sigma Rules

YAML
---
title: Potential Cisco SD-WAN Auth Bypass Exploitation
id: 89b3c1e2-f4d6-4a8e-9b1a-2c3d4e5f6a7b
status: experimental
description: Detects potential exploitation of CVE-2026-20182 targeting Cisco Catalyst SD-WAN Controller administrative interfaces without prior authentication events.
references:
 - https://www.rapid7.com/blog/post/pt-metasploit-wrap-up-05-22-2026
author: Security Arsenal
date: 2026/05/22
tags:
 - attack.initial_access
 - attack.t1190
logsource:
 category: proxy
 product: null
detection:
 selection:
 c_ip|startswith:
   - '10.'
   - '192.168.'
 destination_port: 443
 http_method: POST
 uri|contains:
   - '/admin'
   - '/dataservice'
   - '/sdwan'
 filter:
 sc_status: 200
 condition: selection and filter
falsepositives:
 - Legitimate administrative API calls from known management stations
level: high
---
title: HUSTOJ Zip-Slip RCE Web Shell Spawn
id: 1a2b3c4d-5e6f-7890-1234-567890abcdef
status: experimental
description: Detects potential web shell activity or code execution resulting from CVE-2026-24479 (Zip-Slip) on HUSTOJ platforms.
references:
 - https://www.rapid7.com/blog/post/pt-metasploit-wrap-up-05-22-2026
author: Security Arsenal
date: 2026/05/22
tags:
 - attack.execution
 - attack.t1505.003
logsource:
 category: process_creation
 product: linux
detection:
 selection:
 ParentImage|endswith:
   - '/apache2'
   - '/httpd'
   - '/nginx'
   - '/php-fpm'
 Image|endswith:
   - '/sh'
   - '/bash'
   - '/python'
   - '/perl'
 condition: selection
falsepositives:
 - Legitimate administrative script execution by developers
level: critical

KQL (Microsoft Sentinel)

KQL — Microsoft Sentinel / Defender
// Hunt for Cisco SD-WAN Suspicious Administrative Access
Syslog
| where Facility in ("nginx", "apache", "syslog")
| where ProcessName contains "vmanage" or SyslogMessage contains "POST"
| parse SyslogMessage with * "POST " Path " HTTP" *
| where Path has_any ("/admin", "/dataservice/device", "/sdwan")
| project TimeGenerated, Computer, SourceIP, Path, ProcessName
| summarize count() by SourceIP, Path, bin(TimeGenerated, 5m)
| where count_ > 10 // Threshold for bulk scanning

// Hunt for HUSTOJ Web Shell Creation via Zip-Slip
DeviceProcessEvents 
| where InitiatingProcessFileName in~ ("apache2", "httpd", "nginx", "php-fpm")
| where FileName in~ ("sh", "bash", "python3", "perl", "php")
| extend ParentProc = InitiatingProcessFileName, ChildProc = FileName
| project Timestamp, DeviceName, ParentProc, ChildProc, CommandLine, AccountName
| where isnotempty(CommandLine)

Velociraptor VQL

VQL — Velociraptor
-- Hunt for suspicious web server processes potentially indicating HUSTOJ RCE
SELECT Pid, Name, Exe, CommandLine, Username, StartTime
FROM pslist()
WHERE Exe =~ 'apache2' OR Exe =~ 'nginx' OR Exe =~ 'httpd'

-- Hunt for recently created files in webroot (Potential Zip-Slip artifacts)
SELECT FullPath, Size, Mode.Bits, Mtime, Atime
FROM glob(globs="/*/*/*")
WHERE Mode =~ '^d' AND Name =~ 'www' OR Name =~ 'html' OR Name =~ 'hustoj'

-- Check for shell processes spawned by web users
SELECT Pid, Ppid, Name, Exe, CommandLine, Username
FROM pslist()
WHERE Username =~ 'www-data' AND Name IN ('sh', 'bash', 'python', 'nc', 'perl')

Remediation Script (Bash)

Bash / Shell
#!/bin/bash
# Remediation and Detection Script for CVE-2026-24479 (HUSTOJ)
# Checks for common HUSTOJ installation paths and suspicious recent files

echo "[*] Checking for HUSTOJ installations..."
WEB_ROOTS=("/var/www/html" "/usr/local/apache2/htdocs" "/home/judge/src/web")

for root in "${WEB_ROOTS[@]}"; do
    if [ -d "$root" ]; then
        echo "[+] Found web root: $root"
        # Check for presence of HUSTOJ specific files (e.g., include/db_info.inc.php)
        if [ -f "$root/include/db_info.inc.php" ]; then
            echo "[!] HUSTOJ detected at $root"
            echo "[*] Searching for recently modified files (last 24 hours) which may indicate Zip-Slip exploitation:"
            find "$root" -type f -mtime -1 -ls
        fi
    fi
done

echo "[*] Checking for running shell processes owned by www-data (potential web shell):"
ps aux | grep -E '^www-data.*(sh|bash|python|perl|nc)' | grep -v grep

echo "[+] Remediation: Apply vendor patches for HUSTOJ immediately. Restrict file upload permissions to the web root."

Remediation

  1. Cisco Catalyst SD-WAN (CVE-2026-20182):

    • Patch Immediately: Review the Cisco Security Advisory for CVE-2026-20182 and upgrade to the latest patched release of the Catalyst SD-WAN Controller software.
    • Network Segmentation: Ensure the management interface of the SD-WAN controller is not accessible from the internet. Restrict access strictly to known management subnets via ACLs or firewall policies.
    • Audit Logs: Review controller logs for any unauthorized administrative API calls or configuration changes dating back to May 22, 2026.

  2. HUSTOJ (CVE-2026-24479):

    • Update Source Code: If running the open-source version, pull the latest patches from the official HUSTOJ repository that address the zip-slip vulnerability.
    • Input Validation: Ensure that the archive handling logic sanitizes file paths to prevent directory traversal.
    • Sandboxing: Run the judging service in a containerized or isolated environment to limit the impact of RCE on the host system.

Related Resources

Security Arsenal Penetration Testing Services AlertMonitor Platform Book a SOC Assessment vulnerability-management Intel Hub

cvezero-daypatch-tuesdayexploitvulnerability-disclosurecisco-sd-wanhustojcve-2026-20182

Is your security operations ready?

Get a free SOC assessment or see how AlertMonitor cuts through alert noise with automated triage.

Book a SOC AssessmentSee AlertMonitor in Action